React Server Components have a critical RCE (CVSS 9.9) actively exploited by Earth Lamia, Jackpot Panda, and Red Menshen. Over 50 organizations compromised across financial services, government, and tech sectors. Attackers deploy PeerBlight backdoors, CowTunnel proxy tunnels, ZinFoq post-exploitation frameworks, XMRig miners, Sliver C2, and Kaiji botnet components. Shadowserver identified 165,000+ vulnerable IPs and 644,000 domains—99,200 in the U.S. alone. CISA shortened federal agency deadline to December 31. Palo Alto confirms overlap with Contagious Interview campaign (North Korea) and detects BPFDoor usage. More than 15 distinct threat clusters exploiting, from opportunistic cryptominers to nation-state actors. VulnCheck observes nearly 100 public PoCs. Half of exposed instances remain unpatched despite active exploitation since December 4.

📂 Threat Intelligence

CVE-2025-55182: React2Shell Crisis Hits 50+ Victims, CISA Deadline Looms